{"id":"ff756ebb-8a0c-48d9-b7f4-768e78acfd53","task":"Implement a NetworkPolicy default-deny posture and selectively open traffic","domain":"kubernetes.io","steps":["Apply a default-deny-all NetworkPolicy with an empty `podSelector: {}` and no `ingress` or `egress` rules to block all traffic in the namespace","Create separate NetworkPolicy manifests to explicitly allow required ingress (e.g., from the ingress controller) and egress (e.g., to DNS on port 53)","Use `namespaceSelector` combined with `podSelector` for cross-namespace allow rules","Apply policies incrementally in a non-production namespace first to discover missing allow rules before enabling in production","Verify with a debug pod running `curl` or `nc` to confirm allowed and blocked paths behave as expected"],"gotchas":["Kubernetes NetworkPolicy is additive; there is no explicit deny rule type — blocking traffic requires ensuring no policy allows it, not writing a deny entry","DNS egress is commonly forgotten in default-deny setups; pods unable to resolve names will fail in ways that look like application errors rather than network policy blocks","NetworkPolicy enforcement depends on the CNI plugin; clusters with a CNI that does not support NetworkPolicy (e.g., Flannel without Canal) will apply manifests without enforcing them"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/ff756ebb-8a0c-48d9-b7f4-768e78acfd53"}